raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-01-24 20:36:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add div to sanitizer supported tags

Browse Source
This commit is contained in:
Ana Nunes da Silva
2024-06-03 11:35:25 +01:00
parent 5f54ea3877
commit 205c7dafd2
2 changed files with 20 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app/services/html_sanitizer.rb
View File

@@ -6,7 +6,8 @@
# We offer an editor which supports certain tags but you can't insert just any
# HTML, which would be dangerous.
class HtmlSanitizer
ALLOWED_TAGS = %w[h1 h2 h3 h4 p br b i u a strong em del pre blockquote ul ol li hr figure].freeze
ALLOWED_TAGS = %w[h1 h2 h3 h4 div p br b i u a strong em del pre blockquote ul ol li hr
figure].freeze
ALLOWED_ATTRIBUTES = %w[href target].freeze
ALLOWED_TRIX_DATA_ATTRIBUTES = %w[data-trix-attachment].freeze

24
spec/services/html_sanitizer_spec.rb
View File

@@ -6,14 +6,26 @@ RSpec.describe HtmlSanitizer do
subject { described_class }
context "when HTML has supported tags" do
it "keeps supported tags" do
html = "Hello <b>alert</b>! <br>How are you?"
expect(subject.sanitize(html))
.to eq "Hello <b>alert</b>! <br>How are you?"
it "keeps supported regular tags" do
supported_tags = %w[h1 h2 h3 h4 div p b i u a strong em del pre blockquote ul ol li figure]
supported_tags.each do |tag|
html = "<#{tag}>Content</#{tag}>"
sanitized_html = subject.sanitize(html)
expect(sanitized_html).to eq(html), "Expected '#{tag}' to be preserved."
end
end
it "keeps supported void tags" do
supported_tags = %w[br hr]
supported_tags.each do |tag|
html = "<#{tag}>"
sanitized_html = subject.sanitize(html)
expect(sanitized_html).to eq(html), "Expected '#{tag}' to be preserved."
end
end
it "handles nested tags" do
html = '<ul><li>Item 1</li><li><strong>Item 2</strong></li></ul>'
html = '<div><ul><li>Item 1</li><li><strong>Item 2</strong></li></ul></div>'
expect(subject.sanitize(html)).to eq(html)
end
end
@@ -44,7 +56,7 @@ RSpec.describe HtmlSanitizer do
expect(subject.sanitize(html)).to eq ""
end
it "removes link tags" do
it "removes base tags" do
html = "<base href='http://phishing-site.com/'>"
expect(subject.sanitize(html)).to eq ""
end